Open-Source Compliance

A discussion of open-source compliance, the challenges faced when establishing a compliance program, an overview of best practices and recommendations on how to deal with compliance inquiries.

Traditionally, platforms and software stacks were built using proprietary
software and consisted of various software building blocks that came from
different companies with negotiated licensing terms. The business
environment was predictable, and potential risks were mitigated through
license and contract negotiations with the software vendors. In time,
companies started to incorporate open-source software in their platforms
for the different advantages it offers (technical merit, time to market,
access to source code, customization and so on). With the introduction of
open-source software to what once were purely proprietary software stacks, the
business environment diverged from familiar territory and corporate comfort
zones (Figure 1). Open-source software licenses are not
negotiated agreements. No contracts are signed with software
providers (that is, open-source developers). Companies now must deal with
dozens of different licenses and hundreds or even thousands of licensors
and contributors. As a result, the risks that used to be managed through
license negotiations now must be managed through compliance and
engineering practices.

Open-source software initiatives provide companies with a vehicle to
accelerate innovation through collaboration with a global community of
open-source developers. However, accompanying the benefits of teaming with the
Open Source community are very important responsibilities. Companies must
ensure compliance with applicable open-source license obligations.
Open-source compliance means that open-source software users must observe all
copyright notices and satisfy all license obligations for the open-source
software they use. In addition, companies using open-source software
in commercial products, while complying with the terms of open-source
licenses, want to protect their intellectual property and that of third-party suppliers from unintended disclosure.

Open-source compliance involves establishing a clean baseline for the software
stack or platform code and then maintaining that clean baseline as features
and functionalities are added.

Failure to comply with open-source license obligations can result in the
following:

Companies paying possibly large sums of money for breach of open-source
licenses.

Companies being forced by third parties to block product shipment and do
product recalls.

Companies being mandated by courts to establish a more rigorous open-source
compliance program and appoint an “Open-Source Compliance
Officer” to monitor and ensure compliance with open-source licenses.

Companies losing their product differentiation and intellectual property
rights protection when required to release source code (and perceived
trade secrets) to the Open Source community and effectively license
it to competitors royalty-free.

Companies suffering negative press and unwanted public scrutiny as well
as damaged relationships with customers, suppliers and the Open Source
community.

FSF Compliance Lab

The Compliance Lab at the Free Software Foundation (FSF) helps enforce the
license for all free
software. Information
about the life cycle of
compliance cases handled by the FSF is available at
www.fsf.org/licensing/compliance.

Lessons Learned

There are three main lessons to learn from the open-source compliance
infringement cases that have been made public to date:

Ensure that your company has an open-source management infrastructure in
place. Open-source compliance is not just a legal exercise or merely checking a
box. All facets of a company typically are involved in ensuring proper
compliance and contributing to the end-to-end management of open-source
software.

Make open-source compliance a priority before a product ships. Companies
must establish and maintain consistent open-source compliance policies
and procedures and ensure that open-source license(s) and proprietary
license(s) amicably coexist well before shipment.

Create and maintain a good relationship with the Open Source community.
The community provides source code, technical
support, testing, documentation and so on. Respecting the licenses of the
open-source components you use is the minimum you can do in return.

Trending Topics

Upcoming Webinar

Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report

August 27, 2015
12:00 PM CDT

DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.